Hacking the Nintendo Switch – Part 1: RCM and Booting CFW
Explanation of the Switch’s Hardware Vulnerability
Although not a totally new thing, the Nintendo Switch hacking and home-brew community has blown up over the past 6 months. A flaw was discovered in the hardware of the Nintendo Switch (namely in the nVidia processor) that allows the unit to boot in to RCM mode by holding the VOL+ button and pressing Power on the console, if pins 1 and 10 of the right Joycon port are shorted. Once in RCM mode, a payload can be injected in to the Switch before boot to allow it to run unsigned code. This is a fairly common exploit for nVidia ARM-based devices (of which the Switch is one) and has been used before to gain root on various Android tablets and phones.
Unfortunately for Nintendo, this is a hardware problem and not a software issue. Because of that fact, the original run of Nintendo Switch consoles can not be patched to fix this exploit via software. For those of us who bought a switch before around July of 2018, this means that our consoles are fully exploitable. Around July 2018, Nintendo created a new hardware revision of the Switch which fixed this flaw, but the original run of consoles sold like gangbusters, so there are a lot of fully exploitable Switch consoles in the wild.
Things You’ll Need
To follow this guide, you’ll need the following items.
- An exploitable Nintendo Switch that was manufactured before July 2018
- An RCM Jig, modified paperclip, or another way to short pins 1 and 10 on the right Joycon port
- A microSD card to SD card adapter / USB SD card reader adapter to read/write to a microSD card using your PC
- An microSD card, at least 32GB in capacity. Larger is better, ideally 64GB or 128GB would be best.
- A USB Type-C to USB-A cable for connecting the Switch to a PC
- A Windows PC capable of running the RCM injection software as well as possibly other software for converting XCI to NSP images
- A copy of Notepad++ for editing text files (DO NOT use Windows Notepad)
Just as a warning – modifying your Nintendo Switch can result in a few bad things.
- The first is irreparable damage to hardware. If you manage to short the wrong pins in the Joycon port, there is a possibility that you can destroy the circuity for the port itself, or even the entire Switch console.
- The second is that Nintendo can ban your Switch from participating in legal activity, including the Switch eShop and online play. There haven’t been any instances of Nintendo bricking Switches just because they’re modified, but there have been instances of Nintendo blacklisting modified Switches from accessing their servers, for obvious reasons. While booted in to custom firmware, it’s best to keep your switch in Airplane mode, which disables both Bluetooth and Wi-Fi connectivity. If you’re extremely paranoid, you can go in to Network Settings and remove all of your Wi-Fi connection profiles for good measure.
- The third risk comes from running unknown third party home-brew software. Since we’re running home-brew apps as root, this can lead to unintended exploits by malicious third parties which could potentially brick your hardware. Only run trusted home-brew from trusted sources, and remember to check those package hashes after you download to ensure integrity.
When modifying your Switch, you’re doing so at your own risk.
Shorting Pins 1 and 10: Buying or Building an RCM Jig
There are a few options when it comes to shorting pins 1 and 10 on the right Joycon port to boot the unit in to RCM mode.
The first, and cheapest, is to simply use a bent paperclip. This is the method that a lot of people use, but to me it seems less than reliable, and there exists a very real possibility of shorting to the Switch’s metal body, or worse, shorting unintended pins in the Joycon port, which could potentially cause irreversible damage to the console.
The second option is to buy a “RCM jig” on various sites like Amazon and eBay. These are 3D printed plastic jigs that you either fit with a paperclip yourself, or already come fitted with metal connectors. These allow you to short pins 1 and 10 in a much safer way. These jigs slide down in to the port after the right Joycon is removed, and are designed to line up perfectly so that there’s no risk to shorting out the wrong pins. As you can imagine, quality control on these jigs is all over the place, since a lot of them come from China and Hong Kong, but for the most part they seem to work just fine according to reviews.
The third option is the most DIY option of the three, and that is to use a 3D printer to print your own jig and fit it with a contact yourself (again, most people use paperclips). I opted for this option, and it worked great. I used a RCM jig model sourced from Thingiverse and it worked great. I’ll upload a mirror here in case that model gets taken down. For the conductor in mine, I stripped one of the leads out of a piece of CAT5 Ethernet wire to create the contact loop and it worked great.
Preparing an SD Card
If you’re using a new microSD card, first insert it in to your Switch and let your Switch format and condition the card. It may tell you that it needs to download an update to use the microSD card. This is normal if you’ve never used this microSD card in the Switch before. Let it perform any updates and reboots it wants until it’s content with the microSD card. After your Switch has formatted the microSD card and successfully booted back to the home screen, power the switch off and remove the microSD card.
Note that you should never remove this card when the Switch is either powered on or in sleep mode. If you do, you risk corrupting the card. The Switch will display a warning message and power itself down if the card is removed when power is on. Insert the microSD card in to a microSD to SD card adapter and insert that in to an SD card reader so that you can read the contents of the microSD card on your Windows PC. Just a note – since the Switch runs a Linux-based OS, DO NOT edit any text files using Notepad in Windows or you will corrupt them. If you must edit any files as a part of this tutorial using a Windows machine, use Notepad++.
Someone has created a helpful “all in one” SD card package that you can download and extract to the root of the SD card. This includes all of the items that you’ll need to get up and running very quickly. This is continually updated, so compatibility with existing versions of Nintendo Switch firmware will vary as time goes on.To install, you can simply download this package and extract the contents of its directory to the root of the Switch’s microSD card. The current version at the time of this writing is 11.0.1. I have tested this with version 6.1 of the Switch firmware and it works fine.
I have created a backup of version 11.0.1 just in case it gets taken offline. My version also contains a utility that I’ll mention a little later in this article called kezplez-nx, which is used for dumping your console’s unique system keys – which you’ll need to do if you want to patch and play retail Switch games on your modified console. If you want to save some time, you can download my modified image here.
Regardless of the option you choose, extract the contents of the ZIP file to the root of your microSD card. if done correctly, folders like “atmosphere,” “boot loader,” “config,” etc. will be in the root of the microSD card. At this point you can put the microSD card back in the Switch console, but don’t power it on just yet.
Payload Application Download and Payload Injection
Now that your microSD card is prepared and inserted in to your Switch, you must download the TegraRcmGUI application. This is used to deliver the payload to your Nintendo Switch after you boot it in to RCM mode. This application was written for Windows, so you will need access to a Windows PC to inject the payload. Again, you have to options here for download this application. The first is to download the official application here, and the second is to download my packaged version of the application, which you can download here. I’ve uploaded this package for a couple reasons. The first is to preserve the application in case the official application is taken down, and the second is because I’ve included a baked-in XCI to NSP converter application with it, which we’ll discuss in more detail later. If you are planning on serializing and playing backed up Nintendo Switch retail games on your console, you’ll want to grab my version. My version also includes the payload required to exploit the Switch, otherwise you’d have to source that file elsewhere.
After the application has been downloaded, extract it and run TegraRcmGUI.exe. The first thing you’ll want to do is click on the Settings tab and then click the button that says Install Driver. This will install the necessary ADB drivers for Windows to recognize the Switch console. Next, go back to the Payload tab and click the little folder icon next to the Inject Payload button. You’ll want to browse to the same folder you ran TegraRcmGUI.exe from and select the hekate_ctcaer_4.2.bin file. This is the payload that we’ll be injecting to boot the Switch in to an exploitable mode.
Next you’ll want to use your RCM jig to short pins 1 and 10 on the Switch console. After the jig is installed, you can hold the VOL+ button on the Switch and press the Power button. Continue holding VOL+ for approximately 3 seconds and release. If done correctly, the screen on the Switch should remain black. If the Switch begins to boot, your pins 1 and 10 aren’t shorted correctly so you’ll have to power down the Switch and try again.
With a black screen, connect the Switch to your PC using a USB Type-C to USB A cable. Windows should recognize the Switch because of the driver that we just installed. The little “NO RCM” icon on TegraRcmGUI should now turn green letting you know that the Switch is ready to accept a payload. Click the Inject Payload button and your Switch should boot to a textual menu screen. When you see this screen, it’s ok to remove the RCM jig and put the right Joycon back on the console.
While in this menu, VOL+ acts like Up arrow, VOL- acts like Down arrow, and the Power button acts like an Enter button. You will get very familiar with navigating this menu, as doing this is required every time you want to boot your Switch in to custom firmware. That’s right. Unlike almost all other modified consoles, you must actually perform almost all of the steps we’ve done so far to boot your Switch in to CWF every time it’s powered off. This includes:
- Powering the Switch off
- Removing the right Joycon
- Using the RCM jig to short pins 1 and 10
- Connecting the Switch to your PC running TegraRcmGUI
- Powering on the Switch by holding VOL+ and pressing Power
- Injecting the Payload
- Launching CFW from the menu
At this point you’ll boot in to the default Switch home screen and be able to run home-brew from there. It’s a pain, I know, but can be mitigated by putting your Switch to sleep versus powering it off when you’re done using it. Waking a Switch from sleep allows the exploit to remain, so a full payload injection isn’t required.
Another option is to purchase a cheap $15 device that’s based on an Arduino and contains a battery and some firmware. This will allow you to run the exploit directly from the USB-C port on the Switch instead of plugging it in to a PC to run the TegraRcmGUI exploit. There is a YouTube video showing how this works, here. If you rewind to the beginning of that video, it visually shows all of the steps taken to root the Switch that you’ve read in this article up until this point. For full disclosure, I have yet to purchase and try one of these devices myself.
(Optionally) Restoring the Switch to Factory Settings
What if you boot the Switch like normal without any RCM jig or without injecting payload? Simple – it’ll act just like an unmodified Switch. You can connect to Wi-Fi, download things from the eShop, play online, play your legally downloaded eShop and card based games, etc. You won’t be able to boot in to any home-brew applications, and any installed Switch games that show up on your home screen will tell you that they’re corrupt and need to be re-downloaded if you attempt to run them while not in CFW, but that’s it. If you want to return your Switch to normal, you can delete anything installed on your home screen that wasn’t put there via legitimate means, wipe your microSD card, and nobody will be the wiser.
But what’s the fun in that?
Backing up your NAND Flash
The first thing you should do at this point is to back up your NAND. This will allow you to return the Switch to normal if anything ever happens to it via malicious home-brew software. I won’t go over the entire procedure here, since there is a great guide available from the people who write the firmware that explains what every option does in great detail here. Know that you should do this though, and keep the NAND backups in a safe location. If you’ve ever modded a Nintendo 3DS or Nintendo Wii U, this should be familiar to you. Think of these NAND backups as an image of your Switch’s OS, including all unique information about it.
Launching in to Custom Firmware and Running Home-brew
Remember than in the hekate textual menu you’ll be using the VOL+, VOL- and Power keys on the console as up, down, and enter respectively. From the main hekate menu, choose Launch and then scroll down and choose CFW under Custom Firmware. Your Switch should boot like normal. After the Switch boots to the home screen, go down and select the icon for the Picture Gallery. Instead of launching the Gallery, this will now take you in to the home-brew menu.
The default all-in-one image we downloaded above puts a few apps here, including an application that lets you modify Custom Firmware Settings (I wouldn’t mess around in here unless you know what you’re doing), a Homebrew App Store, a couple utilities called Edizon and Checkpoint for backing up and restoring Switch game saves (why doesn’t Nintendo give us the ability to do this from the factory!?), and a utility called Tinfoil for installing Switch packages/applications. There’s also a quick SD Card Update app that will update all of the default apps on the SD card as it exists now. Very handy.
From the App Store you can download FTP applications that will allow you to transfer files to the microSD card on your Switch, which is much handier than removing the SD card after powering the Switch off, copying data, then going through the whole process to deliver a payload to your Switch when rebooting it. The FTP application is a must-have. Note that transferring large files over FTP can take a long time though so it may be faster to power off the Switch and transfer them directly via the microSD card.
If you downloaded my all-in-one package above you’ll also have a utility called kezplez-nx preinstalled, which we’ll use to get the keys from our individual Switch console so that we can install retail games to the NAND flash or SD card. I will show you how to do this in Part 2. If you didn’t download my package, you can create a folder called kezplez-nx under the /switch directory on your Switch’s microSD card and copy these two files to that directory.
Conclusion
As you can see, with a few tools that you probably already have lying around the house, and a bit of software, hacking an exploitable Nintendo Switch variant is pretty easy. In this tutorial we looked at accessing the boot loader, injecting a payload that would allow us to boot custom firmware, backing up our NAND flash (just in a case!) and running home-brew software. In the next article I plan to discuss the difference between XCI and NSP files, explain how to dump unique keys from your Switch, and then use those unique keys to convert a retail ROM dump in XCI format to an installable NSP file that can be played on an exploited Switch console. That should be a good one.
If you enjoyed this tutorial and would like to see more, please feel free to share this article on social media, comment below letting me know what else you’d like to see, and follow me on Twitter @JROlmstead.
“there exists a very real possibility of shorting to the Switch’s metal body”
Shorting unintended pins is a worry (especially pin 4 to ground can permanently fuck up power delivery to the joycon rail, or worse), shorting to the metal body, not so much. In fact an alternative to shorting pins 1 and 10 is to use a cable to short the metal rail and pin 10, or the metal shroud in the fan slot and pin 10.
Where is part 2?? Thanks for the detailed guide.
Nintendo put the kabash on that. :-/